Welcome

Sri Lanka became the first South Asian country to enact an independent legislation for personal data protection --- Personal Data Protection Act No.9 of 2022 (“PDPA”). This is an essential legislation for Sri Lanka that referenced international good practices of Europe,

United States, and Asia. While legal frameworks are vital to protecting personal data in many systems, they must be put into practice with policy frameworks and regulations, organizational, management, and technology safeguards to ensure all entities adhere to legal obligations to set out in the PDPA.
Data Protection Authority of Sri Lanka has been established in August 2023 under the Personal Data Protection Act No. 9 of 2022 to regulate the processing of personal data in accordance with the provisions of this Act to safeguard the privacy of data subjects from any adverse impact arising from the digitalization of procedures and services in both public and private sectors.

It will provide for mechanisms to ensure the protection of personal data of data subjects engaged in digital transactions and communications while ensuring regulatory compliance with the provisions of this Act to facilitate growth and innovation in the digital economy.
Leading the Board of Directors is Arjuna Herath, a Senior Chartered Accountant and former Consulting Leader of Ernst & Young in Sri Lanka and the Maldives. Other notable members include Attorney-at-Law and Former State Counsel Nisith Abeysooriya, President’s Counsel Saumya Amarasekera,

In terms of Sections 29(3) and 30(1) of the Act, on August 10, 2023 Hon. President has appointed the Chairperson and Members of the Board of Directors of the Data Protection Authority for a period of three (03) years:
  1. Mr. Arjuna Herath (Chairman)
  2. Mr. Nisith Abeysooriya
  3. Mr. Jayantha Fernando
  4. Mr. Bimsara Seneviratne
  5. Ms. Saumya Amarasekera
  6. Mr. Shehan Wijetilaka
  7. Dr. Sulakshana Jayawardana

In November 2023, Mr. Waruna Sri Dhanapala – a Special Grade officer of Sri Lanka Administrative Service – was appointed to the position of Director General on acting basis for a limited period, pending the appointment of a full-time officer to the position as per the provisions of the PDPA.

Our Values

The independence of the DPA is a cornerstone of data protection. Therefore, we will remain free from external influence and act with complete independence in performing our tasks and exercising our powers.

Treating all individuals as well as public and private organisations fairly is fundamental for the credibility of the DPA. Therefore, we will make impartial and fair decisions based on high-quality evidence.

We acknowledge that our work will often bring us into contact with some of the most vulnerable members of society. Treating all individuals and organisations with respect and dignity will be the cornerstone of our culture. We will listen carefully to all our stakeholders to understand their privacy concerns and respond appropriately.

We will ensure that that considerations are made to protect the rights of all equally, no matter their race, religion, language, caste, sex or any other grounds specified in Sri Lanka’s constitution.

Our work will be guided by truthfulness and ethical behaviour. In delivering our services, we will have a human-centric and inclusive approach. We will respect the sensitivity of the information we receive and protect it accordingly.

We will observe high professional standards and be consistent in our approach, guidance and decision-making.

Our journey to becoming an exemplary and trusted DPA requires transparency. We will be open and accessible to the public and proactively provide information about our actions and interventions.

We will be responsive and accountable for our actions and critically and continuously evaluate our performance.

We will not only promote privacy-friendly innovations but will be forward-looking and creative in delivering our services, promoting a culture of continuous improvement to achieve excellence in our field.